Privacy policy

We at Candy Recycling GmbH take protection of personal data very seriously. Therefore, we want you to know when we collect data, what type of data we collect and how we use it. We have taken technical and organisational measures to ensure that data protection regulations are observed not only by us but also external service providers. Compliance with applicable data protection law is continuously monitored by our data protection officer.

Controller

Candy Recycling GmbH

Lister Damm 19
30163 Hannover
Germany

E-Mail:info@candyrecycling.com

Managing Directors: Herr Heiko Kühn, Herr Frank Temme
Company and legal information: http://www.candyrecycling.com/imprint.php

Data protection officer :
Stefan Breitkopf, MC Arztsysteme Rheinland,
datenschutz@candyrecycling.com

Person responsible for content:
Managing Directors: Mr Heiko Kühn, Mr Frank Temme

Agency:
dege.kommunikation gmbh
Kaiserstraße 77
72764 Reutlingen

Types of processed data:

- User data (e.g. names, addresses).
- Contact details (e.g. email, telephone numbers).
- Content data (e.g. text input, photographs, videos).
- Usage data (e.g. visited websites, interest in content, access times).
- Meta/ communication data (e.g. device information, IP addresses).

Categories of data subjects

Visitors and users of the website (hereinafter referred to collectively as "users").

Purposes of processing

- Provisioning of the website, its functions and content.
- Answering contact requests and communication with users.
- Security measures.
- Reach measurement/ marketing

Definitions

"Personal data" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers virtually every aspect of dealing with data.

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Relevant legal bases

In accordance with Article 13 GDPR we are required to inform you about the legal bases for data processing. If the legal basis is not specified in the privacy policy, the following applies: the legal basis for obtaining consent is Article 6 (1) (a) and Article 7 GDPR, the legal basis for the performance of contract and the implementation of pre-contractual measures and responding to your inquiries is Article 6 (1) (b) GDPR, the legal basis for processing necessary for compliance with legal obligations Article 6 (1) (c) GDPR, and the legal basis for processing necessary to pursue our legitimate interests is Article 6 (1) (f) GDPR. The legal basis for processing necessary to protect the vital interests of the data subject or of another natural person is Article 6 (1) (d) GDPR.

Cooperation with processors and third parties

If, in the context of our processing, we disclose data to other persons or companies (processors or third parties), transmit the data to them or otherwise grant access to the data, this will only take place if we are permitted to so by law, (e.g. where the transmission of the data to third parties, e.g. payment service providers is necessary for the performance of a contract pursuant to Article 6 (1) (b) GDPR), you have given consent, the processing is necessary for compliance with a legal obligation or for the purpose of our legitimate interests (e.g. the use of agents, web hosting providers, etc.).

Where we engage third parties to process data on the basis of a so-called "data processing agreement", this is done on the basis of Article 28 GDPR.

Transmission to third countries

Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA) or in the context of the use of third-party services or disclosure or transmission of data to third parties, processing will only take place if it is necessary to meet our pre-contractual or contractual obligations, you have given consent to processing, for compliance with a legal obligation or for the purpose of our legitimate interests. Without prejudice to legal or contractual permits, we process the data or have the data processed in a third country only if the requirements of Article 44 et seq. GDPR have been met. This means that processing is carried out, for example, on the basis of special guarantees, such as the officially recognised assessment of the adequacy of the level of data protection (e.g. the "Privacy Shield" in the US) or in compliance with officially recognised contractual obligations (so-called "standard contractual clauses").

Rights of data subjects

Under Article 15 GDPR, you have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and other information, as well as a copy of the personal data undergoing processing.

Under Article 16 GDPR, you have the right to have inaccurate personal data rectified and incomplete personal data completed.

You have the right to obtain the erasure of personal data concerning you without undue delay under Article 17 GDPR or, alternatively, you have the right to obtain restriction of processing under Article 18 GDPR.

Under Article 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us and have the right to transmit those data to another controller.

Under Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.

Right of withdrawal

Under Article 7 (3) GDPR, you have the right to withdraw your consent with effect for the future.

Right to object

Under Article 21 GDPR, you have the right to object to the future processing of data concerning you at any time. Users have, in particular, the right to object to the processing of their data for direct marketing purposes.

Cookies and the right to object to direct marketing

"Cookies" are small files that are stored on users computers. Cookies can store a variety of information. Cookies are primarily used to store information about users (or devices on which the cookies are stored) during or after their visit to a website. Temporary cookies, "session cookies" or "transient cookies", are cookies which will be deleted after the user leaves a website and closes his/her browser. These types of cookies are used e.g. to store the content of the shopping basket in an online store or the login status. Cookies that are referred to as "permanent" or "persistent" are cookies that remain stored even after the browser has been closed. For example, the login status can be stored if users visit it after several days have passed. Such cookies can also be used to store the interests of users for reach measurement or marketing purposes. "Third-party cookies" are cookies that are set by providers other than the data controller operating the website (where cookies are only set by the controller they are referred to as "first-party cookies").

We may use temporary and permanent cookies and provide information about the cookies we use in the privacy policy.

You can prevent cookies from being stored on your computer by deactivating the relevant option in your browser settings. You can also delete previously stored cookies in the system settings of your browser. Please note that if you block cookies, this may limit the functionality of our website.

In general, users can exercise their right to object to the use cookies for online marketing purposes for a range of services, in particular, tracking using the US website http://www.aboutads.info/choices/or the EU website http://www.youronlinechoices.com/. Furthermore, you can disable the storage of cookies by changing your browser's settings. Please note that if you do this, you may not be able to use all the functions and features of this website.

Erasure of data

The data we process will either be erased or restricted in processing in accordance with Articles 17 and 18 GDPR. Unless explicitly stated in this privacy policy, the data we store will be erased as soon as the data are no longer necessary in relation to the purposes for which they were collected and this does not conflict with statutory retention requirements. Where the data is not erased because it is necessary for other and legally permissible purposes, the processing of the data will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that has to be retained for business or tax reasons.

In accordance with legal requirements in Germany, the retention period is usually 6 years pursuant to Article 257 (1) of the German Commercial Code (HGB) (account books, inventories, opening balance sheets, annual accounts, business correspondence, accounting records, etc.) or 10 years under Article 147 (1) of the German Tax Code (books, records, management reports, accounting, tax-related records, etc.).

In accordance with legal requirements in Austria, the retention period is usually 7 years pursuant to Article 132 of the Austrian Federal Fiscal Code (BAO) (accounting documents, receipts / invoices, accounts, receipts, business documents, income statements, etc.), or 22 years in connection with real estate and 10 years in the case of documents relating to electronically supplied services, telecommunications, broadcasting and television services provided to non-businesses in EU member states and for which the Mini-One-Stop-Shop (MOSS) is used.

Business-related processing

In addition we process
- Contract data (e.g. subject matter and term of the contract, customer category).
- Payment data (e.g. bank details, payment history)
from our customers, prospects and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.

Hosting

We use hosting services to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of operating this website.

In so doing, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, metadata and communication data of customers, prospective customers or visitors of this website on the basis of our legitimate interests in an efficient and secure website provisioning in accordance with Article 6 (1) (f) GDPR in conjunction with Article 28 GDPR (conclusion of a data processing agreement).

Collection of access data and log files

On the basis of our legitimate interests within the meaning of Article 6 (1) (f) GDPR, we or our hosting provider collects data about each access to its servers on which this service is located (so-called server log files). The access data include the name of the accessed website, file, date and time of access, amount of data transferred, notification on successful access, browser type plus version, the operating system of the user, referrer URL (previously visited page), IP address and the requesting provider.

Log file information is stored for security reasons (e.g. to investigate abusive or fraudulent activities) for a maximum of 7 months and then erased. Data which needs to be stored to provide evidence are exempt from erasure until the relevant incident has been resolved.

Communication

When users contact us (by email, post, in person, by telephone or through social media) we collect user information to process the contact request in accordance with Article 6 (1) (b) GDPR. User information can be stored in our customer relationship management system ("CRM system") or a similar system.

We will erase your inquiries when they are no longer needed. We review this need every two years; in all other respects, the statutory retention requirements apply.